hi first review the syntax ip address outside60.181.111.210 255.255.255.252 ip address inside 192.168.253.1 255.255.255.0 ip address dmz 60.181.111.193 255.255.255.240 nat (dmz) 0 60.181.111.192 255.255.255.240 nat (inside) 2 192.168.250.128 255.255.255.192 global (outside) 2 60.181.111.194 this is the running configuration which is allowing the internal host to communicate from inside to outside interface. But boss told me to enable access from inside to dmz also, for that i added the following command nat (dmz) 0 60.181.111.192 255.255.255.240 nat (inside) 2 192.168.250.128 255.255.255.192 global (outside) 2 60.181.111.194 global (dmz) 2 60.181.111.195 The dmz's public IPs stop browsing to outside. why? and i also addedd the ping trace command access-list icmp_acl permit icmp any any access-group icmp_acl in interface dmz any idea and if i am wrong than what is the appropriate approach of the command Thank you

ip address outside60.181.111.210 255.255.255.252 I don't know that much about PIX configuration but I believe there should be a space between "outside" and "60". I'm not sure if that will make a difference or not but it did jump out at me.

my dear its a typing mistake otherwise pix would'nt take that command please any one help me out in this deep trouble here is more detail: inside ip 192.168.253.0/24 outside 60.181.111.210/30 dmz ip 60.181.111.192/28 now answering in more detail is that the existing commands was working great. The defined inside(private ip) and dmz(public ip) user were accessing internet successfully. The enhacment which i have to do was that the inside user should access outside as well as dmz. for that i addedd the blue lined command(previously talked) on the existing command,actually the following command nat (inside) 2 192.168.250.128 255.255.255.192 global (outside) 2 60.181.111.194 is allowing the inside user to the outside world(patting) and i thought that if i add the global (dmz) 2 60.181.111.195 it will allow the inside user to access the dmz as well, because NAT is used to allow traffic from high security interface(inside) to lower security interface (dmz). And access list is used to allow traffic from low sec interface to high sec int i think i have to add a NAT command with a new NAT "ID" that is nat (inside) 3 192.168.250.128 255.255.255.192 global (dmz) 3 60.181.111.195 what do you people say abt this? Thank you